Topics in this week’s digest include a race condition in the Linux Perf subsystem, denial of service in BIND, and a Risk Assessment Calculator based on OWASP’s risk rating methodology
Race condition in the Linux Perf subsystem
The Perf subsystem in Linux is a kernel-based subsystem that provides a framework for hardware and software performance analysis and monitoring. It was originally merged into the Linux kernel in v2.6.31 and has a userspace utility (perf) that interfaces with the kernel subsystem. The userspace perf tool can record, count,b and sample the hardware events (context switches and instructions executed by the registers in the CPU), and software events (through software counters and tracepoints).
The vulnerability CVE-2022-1729 classified as CWE-362 is a race condition in the perf_event_open syscall and was discovered by Norbert Slusarek. According to the man page, “A call to perf_event_open() creates a file descriptor that allows measuring performance information. Each file descriptor corresponds to one event that is measured; these can be grouped together to measure multiple events simultaneously.”
The race condition seems to have been present since kernel v4.0-rc1, and could result in privilege escalation and arbitrary code execution. The patch for this vulnerability is part of the Linux kernel 5.17.10-rc1 release cycle.
Additionally, a mitigation method by RedHat suggests setting the kernel.perf_event_paranoid variable to ‘3’ via sysctl, to restrict unprivileged users from accessing the Perf subsystem in the kernel.
Denial of Service in BIND
ISC released a security advisory last week for a high severity vulnerability affecting BIND versions 9.18.0 through 9.18.2 and v9.19.0 of the 9.19 development branch. The vulnerability, originally discovered by Thomas Amgarten, is exploitable over a network and has an assigned CVSS score of 7.0 by the ISC.
A successful exploit under certain circumstances causes the named daemon to terminate with an assertion failure (leading to denial of service) if a client TLS connection to the http TLS listener is destroyed too early. Vulnerable systems consist of BIND servers that have DNS over HTTPS enabled and include a reference to http within the listen-on statements in their named configurations. Configurations using DNS over TLS alone are unaffected by this vulnerability as per the advisory.
Currently, there are no workarounds known but ISC has advised to upgrade to v9.18.3 on the stable and v9.19.1 on the development branches respectively for mitigation.
Risk Assessment Calculator
In the vulnerability management lifecycle, it is important to estimate the technical and business impact associated with new vulnerabilities that may affect an organization’s infrastructure.
Risk assessment methodologies take into account various factors such as the likelihood of exploitation, the skill level of the adversary and the ease of discovery to name a few.
One such methodology by OWASP calculates an overall risk severity based on these factors.
A risk assessment calculator by Ivan Markovic which is based on OWASP’s risk rating methodology, is available as an open source tool. The risk is calculated as:
Risk = Likelihood * Impact
In the above formula, the likelihood of exploitation depends upon couple of factors that further take into account relevant considerations:
- Threat agent: skill level; motive, opportunity; and size of the threat actors.
- Vulnerability factors: ease of discovery and exploit; awareness of the vulnerability; and detection of exploit by an Intrusion Detection System.
Similarly, the factors affecting the overall impact of a vulnerability include:
- Technical impact factors: loss of confidentiality, integrity, availability, and accountability of a threat actor’s actions.
- Business factors: financial and reputation damage; non-compliance; and privacy violations.
As such, the overall risk score of a vulnerability enables owners to make an informed decision and helps in prioritizing patching.
The source code of the calculator can be found on github, and more details about OWASP’s risk assessment methodology are available here.